Free Cisco 300-540 Practice Exam with Questions & Answers

Comprehensive and Detailed Explanation From Cisco SP Cloud Network Infrastructure Security Knowledge

Cloud security compliance frameworks (such as ISO 27001, PCI-DSS, GDPR, SOC 2, HIPAA) require:

Evidence of security events

Retention of logs for audit periods

Ability to generate compliance reports

Traceability and accountability

Incident investigation support

Effective log management enables:

Centralized collection of application, network, and system logs

Storage of logs for mandated retention periods

Generation ofaudit-ready reports

Documentation required for compliance assessments

Demonstration that monitoring and security controls are active and functioning

Therefore, the role of log management in regulatory compliance is primarily aboutdocumentation, traceability, auditing, and reporting, which aligns only with Option A.

The other options do not directly serve regulatory compliance requirements:

Brelates to resource optimization, not compliance.

Crefers to interoperability, which is unrelated to regulatory auditing.

Dimproves security but does not directly address compliance documentation.

Comprehensive and Detailed Explanation

In Cisco NFVI security architecture, the primary defense againstlateral movement(an attacker moving from one compromised node to another) isnetwork segmentation.

Segmentation:

Separates workloads (compute, storage, management, tenant networks)

Prevents attackers from pivoting inside the NFVI

Reduces blast radius during breaches

Enforces micro-segmented virtual network boundaries

WPA protects Wi-Fi, not NFVI.

WAF protects web apps, not internal movement.

Data encryption protects confidentiality, not lateral movement control.

Thus,network segmentationis the correct solution.

Comprehensive and Detailed Explanation Based on Designing and Implementing Cisco Service Provider Cloud Network Infrastructure Knowledge

When connectingcarrier-neutral facilities (CNFs)ordata centerswithin the same metropolitan area, service providers typically usehigh-bandwidth, low-latency optical transport methods. The most appropriate and commonly deployed interconnection technology is:

DWDM (Dense Wavelength Division Multiplexing) ring, which provides:

High capacity (10G, 40G, 100G, 400G)

Low latency

Redundancy through ring or mesh topologies

Multi-wavelength multiplexing for cost efficiency

Carrier-grade reliability for metro interconnect services

This aligns with cloud interconnect and metro transport design used in service provider environments.

Evaluation of the Options

A. OSPF backbone area adjacency

This is a routing protocol adjacency, not a physical connection method. It requires a transport link underneath but does not represent the physical interconnect itself.

B. Private wireless connection

Not suitable for CNF or metro DC interconnect because it lacks the bandwidth, reliability, and deterministic performance required for large-scale carrier-grade interconnects.

C. DWDM ring

This is the correct method. DWDM-based metro fiber rings are the standard for connecting carrier-neutral facilities in the same metro region.

D. CAT6e connection

This is limited to short-distance copper Ethernet (tens of meters). It is not used for metro-scale interconnects or between CNFs.

From Cisco’s EVPN VXLAN multihoming design requirements,port-active multihominguses asingle LAG (EtherChannel / Bundle-Ether)between the host/router and the pair of leaf switches. All physical interfaces participating in that bundle must be configured with:

bundle id mode active

This command:

Associates the physical interfaces (g1/0 and g1/1) withBundle-Ether1.

UsesLACP activemode, which is required for EVPN port-active multihoming.

Enables the host-facing port-channel required to support EVPN multihomed connectivity.

In the exhibit, R1 already has:

interface Bundle-Ether1

description "Bundle to Leaf-1"

interface Bundle-Ether1.10

ip address 192.168.10.1 255.255.255.0

This confirms that the engineer intends to bundleg1/0andg1/1together intoBundle-Ether1, and the missing step is adding the interfaces into that bundle.

The correct configuration is:

interface g1/0

bundle id 1 mode active

interface g1/1

bundle id 1 mode active

Why the other options are incorrect

A. evpn ethernet-segment 1This command is used on EVPN leaf switches (not R1) to define an ESI for multihoming. R1 is not an EVPN VTEP.

B. switchport mode trunkR1 is a router, not a switch. L3 interfaces do not use switchport.

C. encapsulation dot1q 1This applies only to subinterfaces, not physical interfaces, and is unrelated to building a LAG for port-active multihoming.

For asite-to-site IPsec VPN, each peer must point to thereachable IP address of the remote VPN endpoint—that is, the IP address on the WAN/Internet-facing interface of the remote router.

From the diagram:

R1 outside (toward Internet):192.168.10.1

R2 outside (toward Internet):192.168.20.2

Inside LANs:

Site 1:10.1.0.0/24

Site 2:10.2.0.0/24

The crypto map on R1 uses:

crypto map mymap 10 ipsec-isakmp

set transform-set myset

match address 101

set peer

The must be the IP address where R1 can actually reach the IPsec peer, which is R2’s Internet-facing interface192.168.20.2.

If the peer were configured with a LAN IP such as 10.2.0.1 (site 2’s internal gateway), IKE packets would never reach the remote router because that address is not routable over the Internet.

Therefore, the correct command to bring up the VPN is:

set peer 192.168.20.2

Option A (10.1.0.1)– local LAN IP (R1’s side), not the remote endpoint.

Option C (192.168.10.1)– R1’s own WAN IP, not the remote peer.

Option D (10.2.0.1)– remote LAN IP, not reachable directly over the Internet.

For a site-to-site IPsec VPN, each peer must configure apre-shared keytied to thepublic IP address of the remote VPN peer:

crypto isakmp key address

From the diagram:

R1 outside IP:192.168.10.1/24

R2 outside IP:192.168.20.2/24← remote peer for R1

In the current R1 configuration, the ISAKMP key is incorrectly bound to192.168.10.2, which is a local next-hop/ISP address on R1’s own subnet, not the R2 public IP. Because the pre-shared-key address does not match the source IP of R2’s IKE packets, phase 1 negotiation fails and the tunnel never comes up.

The correct configuration on R1 must therefore be:

crypto isakmp key vpnuser address 192.168.20.2

Options A and C incorrectly change the default route (next hop must be the local ISP router, not R2’s public IP or a LAN address). Option D uses an internal address (10.1.1.2), which is not the IP used for IKE on the Internet.

Comprehensive and Detailed Explanation

In Cisco high-availability LAN gateway designs, the requirement is:

Multiple L3 gateways sharing avirtual MAC and virtual IP

Ability toload balanceacross multiple active gateways

Capability toseamlessly take overgateway forwarding during a failure

Among Cisco First Hop Redundancy Protocols (FHRPs):

HSRP→ Active/standby only

VRRP→ Active/standby only

GLBP (Gateway Load Balancing Protocol)→The only FHRP providing active/active load balancing

GLBP allows multiple routers to share:

Acommon virtual IP

Multiplevirtual MAC addresses

Multipleactive forwardersthat load-balance end hosts

Automatic failover if any gateway fails

Thus, GLBP is the only correct protocol matching the requirement forredundant default gateways with load balancing and shared MAC addressing.

R1 (AS 200) is multihomed to:

SP-1 in AS 300 via neighbor172.16.1.1

SP-2 in AS 400 via neighbor172.16.2.1

R1 must:

Advertiseonly locally originated prefixes(its own network 10.10.0.0/24).

NOTbecome atransit AS—i.e., R1 mustnotadvertise routes learned from one provider to the other.

The configuration includes AS-path access-lists:

ip as-path access-list 1 permit ^$

ip as-path access-list 200 permit ^200

ip as-path access-list 300 permit ^300

ip as-path access-list 400 permit ^400

^$ in AS-path ACL1matcheslocally originated routes(empty AS-path).

ACLs 200, 300, and 400 match routes whose first AS in the path is 200, 300, or 400 respectively (used if we needed to match those provider or customer routes).

To ensure each upstream provider only receiveslocally originatedroutes, we apply AS-path ACL1as anoutbound filter-liston each external BGP neighbor:

router bgp 200

neighbor 172.16.1.1 remote-as 300

neighbor 172.16.1.1 filter-list 1 out ← only advertise local prefixes to SP-1

neighbor 172.16.2.1 remote-as 400

neighbor 172.16.2.1 filter-list 1 out ← only advertise local prefixes to SP-2

This way:

Routes learned from SP-1 (AS 300) willnotbe advertised to SP-2 (AS 400) because their AS-path will begin with 300, not empty, so they fail ACL 1.

Similarly, routes from SP-2 will not be sent to SP-1.

Only R1’s own prefixes are exported, preventing AS 200 from becoming a transit network.

In aCisco NFVI C-Series Pod, the Top-of-Rack (ToR) switches are almost always configured as avPC pair.

A vPC domain requiresthree mandatory components:

vPC domain ID

vPC peer-link

vPC peer-keepalive link←ensures dual-active detection

In the exhibit:

The management interfaces areTor-A Mgmt0: 10.10.10.1andTor-B Mgmt0: 10.10.10.2

These IPs are used commonly as thepeer-keepalive endpoints

The physical uplinks to NFVI nodes formPort-Channel110

Since the configuration snippet already includes:

feature vpc

feature lacp

channel-group 110 mode active

Thenext required stepin a Cisco NFVI + vPC configuration is to configure thepeer-keepalivefrom ToR-A toward ToR-B:

vpc domain 1

peer-keepalive destination 10.10.10.2

This ensures:

vPC roles sync

Dual-active prevention

Stable operation for the NFVI C-Series rack

Why the Other Options Are Incorrect

A. vpc peer-linkThis is required but must be configured on the dedicated peer-link interfaces, not on the server-facing port-channel.

C. channel-group 110 mode onThe correct mode is already configured: mode active for LACP. mode on disables LACP.

D. switchport mode accessNFVI ToR links usetrunking, not access mode, because servers carry multiple networks (control, compute, storage, management VLANs).

Comprehensive and Detailed Explanation From Exact Extract from my knowledge of Designing and Implementing Cisco Service Provider Cloud Network Infrastructure Outlines without Any External URL or Links:

Cisco+ Hybrid Cloud is Cisco’s as-a-service consumption model that offers pay-as-you-go infrastructure. For ahybrid workplace, the focus is on giving users secure desktop environments from anywhere, with the ability torapidly deployandscale up or downbased on the number of users or partners.

Cisco+Hybrid Cloud for Virtual Desktop Infrastructure (VDI)specifically delivers desktop and app workspaces as an on-demand service. It allows partners to consume desktops elastically, paying for capacity as needed and scaling the underlying compute, storage, and networking without rebuilding the environment.

Bare Metal Compute and Virtualization offers flexible infrastructure but are aimed at app/workload hosting rather than user desktop workspaces.

Service Provider Networking addresses network services, not end-user hybrid workplace desktops.Therefore, for a pay-as-you-go, rapidly deployable, elastic solution in a hybrid workplace,Cisco+ Hybrid Cloud for Virtual Desktop Infrastructureis the correct choice.